Thursday, April 19, 2018

configure openvpn on mikrotik

1- create certifications
$ cd /usr/share/easy-rsa
$ mkdir keys
$ touch keys/index.txt
$ echo 01 > keys/serial
$ source ./vars
$ export PATH=$PATH:/usr/share/easy-rsa
$ pkitool --initca
$ pkitool --server server1]
$ pkitool client1



2- upload these files below to mikrotik
keys/ca.crt
keys/server1.crt
keys/server1.key

3- import keys to mikrotik
/certificate
import file=server1.crt
import file=server1.key
import file=ca.crt


4- create pool1 on mikrotik
/ip pool export
/ip pool
add name=pool1 ranges=10.1.1.10-10.1.1.10



5- create openvpn profile
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default remote-ipv6-prefix-pool=\
    none use-compression=default use-encryption=default use-ipv6=yes use-mpls=\
    default use-vj-compression=default
add change-tcp-mss=default local-address=10.1.1.1 name=ovpn only-one=default \
    remote-address=pool1 use-compression=default use-encryption=default \
    use-ipv6=yes use-mpls=default use-vj-compression=default
set 2 change-tcp-mss=yes name=default-encryption only-one=default \
    remote-ipv6-prefix-pool=none use-compression=default use-encryption=yes \
    use-ipv6=yes use-mpls=default use-vj-compression=defaul



6- create a username password
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=user1 \
    password=password profile=ovpn routes="" service=any



7- enable ovpn server interface on mikrotik
/interface ovpn-server server
set auth=sha1,md5 certificate=cert1 cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn enabled=yes keepalive-timeout=60 mac-address=FE:E0:F2:AF:C8:35 max-mtu=1500 mode=ip netmask=32 port=1194 require-client-certificate=no



--------------------on client------------

1- use  certification from
keys/client1.crt
keys/client1.key
keys/ca.crt

--- configuration file: client.conf
client
dev tun
proto tcp
remote 192.168.58.3 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher none
verb 3
auth-user-pass auth.txt




-- auth.txt:
user1
password


2- to connect
$ openvpn --config client.conf




--tips---
if you got the following message
WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1528', remote='link-mtu 1527'
WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'



mean that you enable comp-lzo on client.conf, so just remove it, the connection will establish successfully

2 comments: